A collection of thoughts, ramblings and experience of making technology work for me. It may include some further diversions.

Setting up a SQUID Proxy in 21 steps (made easy with Webmin!)

With the aim of managing bitorrenting on my network (i.e. preventing torrents) I opted to install a proxy server on a Ubuntu gateway server to control access to torrent sites for the clients on the network. This was a basic set up with a minimal Squid proxy server config in order to get up and running quickly, and to ultimately start preventing torrent usage. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. Read on...This post will walk through setting up Squid using Webmin to configure it. The simple reason for using Webmin to configure Squid is that the Webmin GUI for Squid is pretty good and makes life a lot simpler, however, I won't discuss the installation of Webmin.

If you don't have Webmin already installed you're best off to install Squid first so that Webmin automatically detects Squid. Otherwise, if you are in the same position as me with Webmin already installed you'll need to add the Squid module to Webmin manually from the Webmin admin area.

Install Squid1. To install Squid using aptitude type the following command which will download and install the needed dependencies.:sudo aptitude install squid3

Configure Webmin2. Log on to Webmin and refresh the modules to pick the Squid server.https://serveripaddress:10000/webmin/refresh_modules.cgi3. Once you have logged in, click on "Servers" from the left handside, to expand the servers list.4. Click on “Squid Proxy Server.” Here you should be able to configure Squid through Webmin.5. Click on “Ports and Networking” and note what the port is that Squid will be using (default: 3128). This is the port that you will need to enter on your browser in order to use Squid.

Set up the Access Control ListsThis is where we will set up the access list for clients that will be allowed through the proxy server.6. Then return to the Squid Module Index and click on the “Access Control” button.7. At the bottom there is a button called “Create new ACL.” from the drop down box next to the button select "Client Address". This is drop down is shown below:

8. Click the "Create new ACL" button.9. On the "Create ACL" page, fill in the following information:

ACL Name: internal_network (you can name this whatever you want. no spaces)

From IP: the first IP allowed to use Squid. For example, you can type in 192.168.1.0 and that will allow all IP’s that start with 192.168.1.

To IP: Enter the last IP allowed, or you can again use 192.168.1.0

Netmask: Enter your subnet mask (255.255.255.0)

10. Click Save. The ACL has been created and you will be returned to the Access Control screen.

Set up the Proxy RestrictionsThis is where we will set up the rule to allow local traffic through the proxy server.11. Click on “Proxy restrictions” tab from the top. 12. Now click "Add proxy restriction". 13. Click the allow button next to Action, and highlight “internal_network” or whatever you named your ACL at step 8.14. Click Save. The proxy restriction is now created.

Prioritise the Proxy RestrictionsThis is where the proxy restriction will be appropriately prioritised to make sure traffic is process correctly.15. The new proxy restriction will now be visible at the bottom of the proxy restriction list. This means it is the last 'rule' to be processed when traffic reaches the proxy server.16. On the right hand side click the up arrow next to your new ACL to move the ACL to at least above the line that the action is “Deny” and the ACLs is all. (This should be one move). I actually moved my ACL to the line above Deny !Safe_ports to get HTTPS / SSL fully working through the proxy. See below for an example:

17. At the very top of the screen click on “Apply Changes.” This makes sure your internal network passes through the proxy server before the Deny all restriction is applied. If you're proxy isn't working check here first!18. Return to the main Squid Proxy Server Page. 19. Click on Stop Squid, allow it to stop.20. Click on Start Squid. If Squid fails to start check that the squid access log file is writeable by the user and group proxy:proxy.

You have now completed the setup for Squid on your server.

Configure the firewall for Squid21. If you are using iptables, add the following line to your iptables to allow Squid through your firewall:-A INPUT -p tcp –dport 3128 -j ACCEPT

Your proxy server should now be working with logging!

Monitor your proxy traffic22. Back in Webmin in the Squid module click the "Logging" button.23. Here "Access Log Files" should be enabled using the radio button next to the "File path".24. The default file path for the access log should be /var/log/squid/access.log25. To read the access log you can use the following command:sudo cat /var/log/squid/access.log Alternatively you can view the log file through the Webmin System Log viewer:26. Click System from the left hand side Webmin side menu.27. Click System Logs .28. Next to "View logs" at the bottom enter /var/log/squid/access.log and click "View".

Configure your clients to use the Squid proxy

Firefox1. Open Preferences2. Click on Advanced3. Select the Network tab4. Open Settings.Click the Manual proxy configuration button. 5. Under HTTP Proxy add the IP address of your Squid Proxy Server, and then add the correct Port number (default: 3128).6. Click Use this proxy server for all protocols. 7. In the No Proxy for box, type: localhost, 127.0.0.1

Internet Explorer1. Open up your Internet Preferences dialog2. Select the Connections tab3. Open LAN settings4. Click the box next to Use a proxy server for your LAN5. Enter the correct IP address and port. 6. Click on Bypass proxy server for local addresses. 7. Click Ok, and Ok.

Start Squid on start up {untested}

Option 1 - Add the service to the run time control

First ensure you have /etc/init.d/squid

Then run:

update-rc.d squid add

Option 2 - Manually start squid through the rc.local by using the following command:sudo gedit /etc/rc.local

4 comments:

i have 1 computer with 2 network cards.i want to config eth0 as internet source and eth1 as router with squid proxy + dhcp enable for client computer.can you help me how to do that?thank you very much! :)

Recently I setup a Reverse Proxy Server with Squid (server accelerator) and wrote a full detailed tutorial that you can find in:

http://cosmolinux.no-ip.org/raconetlinux/html/17-squid.html

where I explain how to configure Squid (version 3.x) as a reverse Proxy Server (server accelerator), providing examples about how to do it using two computers (one as a Proxy server and another as a Web Server) or just by using one single computer.

I also describe how to format the Squid's logs and how to send the logs to a remote computer. Also, you can find an explanation of how to deny access to certain files and how to get correct logs in Apache Web Server.

We specialize in serving intelligent network administrators high quality blacklists for effective, targeted web filtering.There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.